The SitePoint Forums have moved.

You can now find them here.
This forum is now closed to new posts, but you can browse existing content.
You can find out more information about the move and how to open a new account (if necessary) here.
If you get stuck you can get support by emailing forums@sitepoint.com

If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Generating beta or application keys

I will be writing a script in PHP to generate keys which will be used by site members to gain access to game betas, game free trials etc. Basically it will be a long code that will be unique to them, kind of like a MS Windows key. I haven't done this before and am looking for a bit of advice on how to make it work. My initial idea is to generate a long random string of alpha numeric characters.

Is this a wise approach and am I missing anything that I should be considering security wise or anything else?

Are these games online (i.e. flash games) themselves? Or are these regular, or offline games?

A primitive idea of what I'dd do is generate a set of keys which all have a certain checksum, so the game instances can do a primitive check on the validity of the key.
Then I'dd store these in a DB and disable everyone one by one as they are handled out, in order to prevent distributing duplicates.

You can then complicate this by "calling home" from each instance of the demo games to report some unique system variable that the current host is using and determine wether the same key was used on radically different systems/areas of the globe/ips in the past.

That's just a quick idea, and I'm sure there are far better options than this.

Programming boils down to three things: fast, good and cheap.
Please pick two.

As long as the key does not need to be validated against the software, then you can in general create the key any way you want. Just check it against the db to make sure it does not already exists, and make it random enough so people cant increase one number to get the another valid key.

I generate a list of say 1000 keys that I store locally and give a copy to a 3rd party website. I make keys available 1 per user and mark them as used as they are taken, the user goes to the 3rd party site and enters it to "get free stuff" which they get as long as the key exists and has not been marked as used by the 3rd party site. It then gets marked as used by the 3rd party.

Is this kind of thing done purely by obscurity, i.e. there might be 10,000 keys but there are 5 billion combinations making guessing a key extremely improbable or should I be using some other more more secure method? How obcure would it need to be to safely prevent bruteforce attempts at key generation?

Product Keys are always based on obscurity, if you are lucky you can randomly type in a correct key to any product. There are a few exeptions where this is not possible, but that is for more expensive products.

In your case, you have no algorithm that you need to follow. This allows you to freely create the keys, just make sure your making them random enough.

For a pretty-much bullet-proof app I am sure you will have to use some form of keys similar to asymmetric encryption (i.e. public/private key pairs) with the serial being your public-key encrypted message (i.e. an "ok" encrypted with a public key) and letting the other party decrypt the serial to the same "ok" using their private key.